Date: Fri, 21 Nov 2003 14:30:08 +0100 From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) To: Pawel Jakub Dawidek <nick@garage.freebsd.pl> Cc: freebsd-hackers@freebsd.org Subject: Re: "secure" file flag? Message-ID: <xzpsmkhyhlr.fsf@dwp.des.no> In-Reply-To: <20031121124350.GT511@garage.freebsd.pl> (Pawel Jakub Dawidek's message of "Fri, 21 Nov 2003 13:43:50 %2B0100") References: <20031119003133.18473.qmail@web11404.mail.yahoo.com> <200311201327.29226.wes@softweyr.com> <20031121095939.GS511@garage.freebsd.pl> <xzp65hegd9q.fsf@dwp.des.no> <20031121124350.GT511@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek <nick@garage.freebsd.pl> writes: > I'm aware of this, but what we want to think over here is something like > in-kernel 'rm -P'. So file will be overwriten even if it is opened > and/or link count is grater than 0. That is not acceptable. First of all, it breaks a lot of assumptions in the filesystem code. Second, it is incompatible with the common technique of unlinking a temporary file immediately after opening it to avoid having it stick around if the process that created it dies prematurely. Your proposed change would thus reduce security rather than enhance it. Besides, overwriting the contents of a file when it is removed from the file system is not enough. You also need to overwrite every block or fragment which is released any time the file shrinks. Fortunately, ufs always truncates a file to length 0 when it is removed, so you only need to modify ffs_truncate() to implement both aspects (truncation and removal). You should also take care to overwrite the file's extended attributes if it has any. Finally, I think a filesystem flag is much better for this purpose than a file flag; and in either case, file removal and truncation performance will be awful. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpsmkhyhlr.fsf>